OPNsense Forum
Archive => 17.7 Legacy Series => Topic started by: RainerR on October 07, 2017, 02:35:15 am
-
Hello Community.
First of all, here are the key facts of my project:
- LAB installation for testing purposes
- 2 OPNsense 17.7.5 Hardware Boxes in a Carp Cluster
- Configured services in OPNsense are:
- Network segmentation into 8 subnetworks via VLAN
- An interface is configured for each VLAN (local and VIP)
- Access to the subnets is controlled by appropriate firewall rules
- IPsec Road Warrior VPN is configured (VIP WAN interface)
- Client type is the Cisco IPSec VPN integrated in Mac OS High Sierra
- Via IPsec I can easily access a subnet
- the public IPv4 is provided via DynDNS
- The OPNsense Carp Cluster is behind a router that forwards ports 500 and 4500 UDP to the VIP of the Carp Cluster.
After I have enticed the reader of this post to continue reading, here is the essential information about what I want to configure. ;)
Basically, my configuration works without any problems and has been in operation for about a year.
What exactly does this mean and what does it have to do with the subject of this post?
Right, now it's getting exciting. Currently I can access a subnet via IPsec VPN without any problems.
However, I would like to extend the access to several subnets.
That's the point where I can't move on.
I searched the forum, read the documentation, found some hints, but couldn't find a solution.
Now I have landed in the FUBA (fiddling and tinkering) mode and tested various settings of the IPsec tunnels and the mobile client configuration - so far without success;
Lastly, I had the idea to configure a separate phase-2 entry for each subnet, but that didn't work either.
It would be damn cool if any of you had a solution to my problem.
It would also be cool if someone could tell me if what I'm planning to do is technically possible or not.
Every hint is more than welcome to leave FUBA mode.
If you don't want to answer in english, I am a native german speaker and you can also answer me in german.
Depending on how this post develops, I can write a summary in English and/or German so that other searchers can also benefit from the result.
Best regards,
Rainer.
-
You could use 0.0.0.0/0 to tunnel everything through VPN or use OpenVPN for this.
-
Large organisations route entire offices through IPSec tunnels, both ways. Your chances of success are excellent.
Your client subnet needs to know a route to the remote subnets and they need to know a route back. If the IPSec routers are not the default gateway on each side, you'll need static routes.
Make sure ICMP is allowed everywhere and do traffic captures to follow the trail through your network. This post will guide you: https://forum.ivorde.com/tcpdump-how-to-to-capture-only-icmp-ping-echo-requests-t15191.html
Bart...
-
Spanning your IPsec over a large network (up to 0.0.0.0/0 meaning all) works as Michael described, and what Bart said about routing through IPsec is also true as long as you make sure to add proper gateways between your IPsec peers, because if you simply try to reach through a tunnel out of its network mask bounds it will fail as security policies allow it, which is what the former approach works around by extending the bounds.
Another way is to use the advanced settings in phase 2 since OPNsense 17.7.1 and add your manual SPD network entries, a sort of ACL for attached networks, that you allow IPsec to route to even though they are not strictly part of your setup. Well, after adding them they are. ;)
Cheers,
Franco